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METHOD AND APPARATUS TO MONITOR accomplished by disposing the means for initialing commu- 

AND LOCATE AN ELECTRONIC DEVICE nication with a host system in the firmware such as on the 

USING A SECURED INTELLIGENT AGENT ROM BIOS or the modem component of a client electronic 

device. This security system operates independently of the 
This application is a continuation-in-part of U.S. appli- 5 operating system running on the electronic device, 
cation Ser. No. 08/558,432 filed on Nov. 15, 1995 now U.S. In addition, a feature whereby the security system trans- 
Pat. No. 5,764,892 which is a continuation-in-part applica- mils through the Internet is disclosed. This feature enables 
tion based on co-pending U.S. application Ser. No. 08/339, the security system to initiate a call to the host monitoring 
978 filed on Nov. 15, 1994; a continuation-in-part of U.S. system even when the client is simultaneously running a 
application Ser. No. 08/799,401 filed on Feb. 11, 1997 now 10 different Internet application. This system is also disclosed 
U.S. Pat. No. 5,802,280 which is a continuation application in co-pending parent application Ser. No. 08/826,098 which 
based on co-pending U.S. application Ser. No. 08/339,978; is hereby incorporated by reference. This represents an 
a continuation-in-part application of co-pending U.S. appli- advantage over the system disclosed in co-pending parent 
cation Ser. No. 08/826,098 filed on Mar. 24, 1997 which is application Ser. No. 08/558,432, which is hereby incorpo- 
a continuation-in-part application of application Ser. No. 35 ra f e d by reference, which could not transmit while an 
08/558,432 now U.S. Pat. No. 5,764,892. application was using the modem since interference could 

BACKGROUND OF THE INVENTION alert *" user t0 lhe P rcsence of ^ s y stem ' 

Many electronic devices, such as laptop computers and SUMMARY OF THE INVENTION 

cellular telephones, are becoming more compact and por- 20 . . . 

table. While such portability is extremely convenient for the . 71,15 ,nvent,0 , n relates to , a »PP«f*s •*» method 

user, it has given rise to an increased risk of theft. Tlese for «| nevu « lost ^ st / ? len f. lec ' r °f c devic « such as 

electronic devices are often very expensive and are easily P or L a "« TT??' PCs (™*»**» stolen components such 
w# ~, 'as CPU, hard drives, etc.), cablevision devices, personal 

lost or stolen. . ' . . v „ , , . m . 

n , „ ~ c digital assistants (PDAs), cellular telephones, etc. This 

Previously,attemptshavebeenmadetoprovidemeansfor * enables devices tQ ^ ^ Qf 

retneving lost or stolen items of various types. The simplest monitored by im pi anling thereon an intelligent Agent with a 

approach is marking the item with the name and the address eKlefined task set ^ ^ ent communicates with a pre- 

of the owner or some omer identification such as a driver s sdected host monitori s tem which ^ c ble of mul . 

hcense number. If the item falls into the hands of an honest tf , c seryices includi ^ Iocati providing identi . 

person then the owner can be located. However, this 30 ^ indida such ^ anelectmmc serial number (ESN), and 

approach may not deter a thief who can remove visible J ec f ronically notifying the end of £ loc [ iion . 

markings on the device. The Agent hides the goftwarie/finnwaic/haidware of 

Password protection schemes are of dubious value in me electronic device, and operates without interfering with 

discouraging theft or retrieving an item. Although the data me regular operation of the device. According to one 

can be protected from theft, the computer hardware cannot embodiment of the invention, the Agent is disposed on the 

be found or retrieved. Another approach has been to place a rqm BIOS of the electronic device and the Agent takes 

radio transmitter on the item. This has been done in the control of the electronic device and its facilities during its 

context of automobile anti-theft devices. The police or a boot-up. According to another embodiment of the invention, 

commercial organization monitors the applicable radio fre- ^ Agent ^ d isp 0sed 0 n the modem component of the 

quency to try to locate a stolen vehicle. This method is not electronic device and the Agent operates independently of 

suitable for smaller items such as cellular telephones or me electronic device. Another embodiment of the Agent is 

laptop computers. First, it is inconvenient to disassemble on the processing unit (e.g., microprocessor) of the elec- 

such devices in order to attempt to install a transmitter tronic dev ice. Yet another embodiment of the Agent is a 

therein. Second, there may not be any convenient space hardware implementation, such as hard wired circuitry or a 

available to affix such a transmitter. Furthermore, a rather single i nteg rated circuit. The Agent is further designed to 

elaborate monitoring service, including directional antennas evade detection and resist attempts to disable it by an 

or the like, is required to trace the source of radio transmis- unauthorized user. 

SIOns " The invention provides a novel security device for small 

It is therefore an object of the invention to provide an 5Q computers, cellular telephones and the like which can be 

improved means for tracing or locating smaller lost or stolen programmed as firmware onto the non-volatile memory 

objects, particularly laptop computers, cellular telephones, (such as R0M BI0S> rqm, Flash ROM, EPROM, 

desktop computers and other small, portable electronic EEPROM or the like) of such devices. Accordingly, no 

devices or expensive home and office electronic equipment. physical alteration is necessary or apparent to a thief. The 

It is a further object of the invention to provide an 55 existence of the security device is well cloaked and thus it 

improved means for locating lost or stolen items, this means cannot be readily located or disabled even if the possibility 

being hidden from unauthorized users in order to reduce the 0 f its existence is suspected. Apparatuses and methods 

risk of such means being disabled by the unauthorized user. according to the invention can be very cost effective, requir- 

It is a still further object of the invention to provide an ing relatively inexpensive modifications to software or hard- 
improved means for locating lost or stolen items which 50 ware and operation of relatively few monitoring devices, 
actively resist attempts to disable the means by an unautho- According to one aspect of the invention there is provided 
rized user. an electronic device with an integral security system. The 

It is a still further object of the invention to provide an security system includes means for sending signals to a 

improved means for inexpensively and reliably locating lost remote station at spaced apart intervals of time. The signals 

or stolen items. 65 include identifying indicia for the electronic device. The 

This invention also advantageously does not interfere means for sending signals includes a telecommunications 

with the operating system or running applications. This is interface connectable to a telecommunications system, and 
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means for dialing a preselected telecommunications number. In an alternative embodiment, if the remote computer 
In an alternative embodiment, signals are sent through a answers the incoming call then the means for sending 
global network interface. This can be accomplished via the signals automatically sends second signals to the telecom- 
standard public telecommunications system which may be munications interface. The telecommunications interface 
linked to a global network service provider, or through a 5 then transmits identifying indicia for the device as well as 
private network (LAN) link to the global network. The any other pertinent information to the remote telecommu- 
remote station includes a telecommunications receiver hav- nications station. 

ing the preselected telecommunications number. The remote There is provided according to another aspect of the 

station and the electronic device may also simultaneously be invention a method for tracing lost or stolen electronic 

connected through the global network. 1Q articles through a global network such as the Internet. The 

In one embodiment of the invention the electronic device client computer sends DNS queries which contain encoded 

is a computer, and the means for sending signals includes identification information to a remote station through the 

means for providing signals to the telecommunication inter- Internet. The remote station receives the quenes and decodes 

face to di£ a preselecled telecommunication number and the encoded identification information in order o determine 

j -I "j >Z • * a' ' T*k t-i w;™ ; n t*r if the client computer matches an entry on a list of reported 

send the identifying indicia. The telecommunication inter- 15 computers. If so, the host sends a predefined 

face may be a modem. The means for providing signals may ^ {q ^ ^ ^ mdicatmg ^ {{ should 

include security algorithm installed as a firmware onto the a traceroute t0 provide the host ^Ib the Internet 

non-volatile memory (such as ROM BIOS, ROM, Flash communication links connecting the client computer to the 

ROM, EPROM, EEPROM, or the like) of the computer, a hQSt AdditionaUy> wnen the client computer receives this 

software program, a micro-code program, a digital signal 20 prec j e fi ne( i response from the host it immediately attempts to 

processor ("DSP') program or a built-in function of the contact the host via the telecommunications system. 

operating system. , , . BRIEF DESCRIPTION OF THE DRAWINGS 

The security system may be recorded on the boot sector 

of a hard disk, on a hidden system file such as IO.SYS, These and other objects and advantages will become 

MSDOS.SYS, IBMBIO.COM or IBMD0S.COM, or alter- 25 apparent by reference to the following detailed description 

natively on the ROM BIOS of the computer, or a combina- and accompanying drawings, in which: 

tion of both. The security system functions without inter- FIG. 1 is a schematic system diagram of a preferred 

fering with the operating system or any running embodiment of the electronic article surveillance system in 

applications. The security system is loaded into memory accordance with the teachings of this invention, 

whenever the electronic device is powered on or reset. It is 30 FIG. 2 is a simplified illustration of the functional block 

loaded before the operating system. Alternatively, the secu- diagram of FIG. 1 for the purpose of showing an illustrative 

rity system may be recorded on the Flash ROM of the embodiment of the present invention, 

modem component of the electronic device. The security FIGS. 3-1 and 3-2 are an illustrative embodiment in the 

system functions independently of the main processor of the form of a flowchart of the process by which the operating 

electronic device. Consequently, the security system as 35 system and Agent are able to start up and run simulta- 

provided in either the ROM BIOS or the modem Flash ROM neously. 

is operating system independent. FIGS. 4A-1 and 4A-2 are an illustrative embodiment in 

The Agent may be implemented in the firmware or me form of a flowchart showing the Agent's work cycle 

software of any electronic device, such as a computer. according to an embodiment of the invention. 

Alternatively, the Agent may be implemented in any com- 40 pic. 4B is an illustrative embodiment in the form of a 

ponent of a computer, as with an electronic component such flowchart showing the routine for determining PCMCIA 

as the DSP in a modem or the CPU in the computer. support in the electronic device. 

Furthermore, the functionality of the Agent may be imple- pjQ ^ an illustrative embodiment in the form of a 

mented in the circuitry of any hardware device capable of fl owc hart showing the modem call routine initiated by the 

establishing a communication link through sending and 45 

receiving packets of data. pIG. 5 is an illustrative embodiment in the form of a 

There is provided according to another aspect of the flowchart showing the Agent startup loading sequence, 

invention a method for tracing lost or stolen electronic FIGS. 6A, 6B, 6C and 6D are illustrations of alternatives 

devices whereby a telecommunications interface is connect- tQ j oa( j m g 0 f me A gen t 

able to a telecommunications system at a first telecomrnu- 50 ^ ?A fa % block dia m illustrating the 

nications station. The method includes providing the elec- embodiment of Segm ented Agent. FIG. 7B is a 

tronic device with means for sending signals to the flow chart of lhe Scgm ented Agent process, 

telecommunications ^terface means is instructed by illustrating the alternate 

the Agent to send first signals to the telecommunications \ ~ 4 c 77 J \ . & 

interfoce which then calls a remote telecommunications 55 embodiment of Modem Agent 

station. These first signals contain the encoded identification FIG. 9 is an illustrative embodiment in the form of a 

(serial number) of the sending computer. Upon detecting an flowchart of a process by wmch the host identification ^and 

incoming signal, the remote computer determines the iden- ^ring subsystem identifies and filters out unwanted calls 

tification of the sending computer by decoding its serial from Agents. 

number, and can retrieve the caller phone number from the 60 FIG. 10A is a schematic showing an illustrative embodi- 
telephone company. The remote computer compares the ment of the encoding/decoding method whereby the mom- 
serial number with a predefined fisting of serial numbers of toring service would have to subscribe to 60 telephone 
reported lost or stolen computers. The call will only be numbers. 

answered if the sending computer is on the predefined list. FIG. 10B is a schematic showing an illustrative embodi- 

In an alternative embodiment, this call filtering feature can 65 ment of the encoding/decoding method whereby the moni- 

be removed and the remote computer will answer all incom- toring service would have to subscribe to 300 telephone 

ing calls. numbers. 
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FIG. 11A is an illustrative embodiment in the form of a according to one embodiment of the invention, transmit data 

flowchart of a process by which the host telephone mooi- to and from client computer Al digitally. Host computer 3 

toring subsystem exchanges data with an Agent. is also connected to the Internet B5. In an alternative 

° ... . ... , . t . e r embodiment of this global network or Internet application, 

FIG. 11B is an illustrative embodiment in the form of a ! t . A B . • . • „i,„Jl' ir K, . 

ivj. xlu u, . . . m - tn - 5 client computer Al can alternatively, or simultaneously, be 

flowchart of a process by which the host Internet monitoring 5 ^ ^ fi5 ^ M which ^ 

subsystem exchanges data with an Agent. Qtc]& M t0 telephone line LI. Telephone 

FIG. 11C is an illustration of a manner in which the client ij ne u connects to Public Switch Telephone Network 

identification is encoded within the host name according to (PSTN) Bl which provides access to Internet provider B6 

one aspect of the invention. (such as AOL, Netcom, etc.) via telephone line L6. Internet 

FIG. 12 is an illustrative embodiment in the form of a provider B6 provides access to Internet B5 via leased line 

flowchart of the process by which the host notification L7. Alternatively, client computer Al may be linked directly 

subsystem, contained within the host computer, notifies to Internet provider B6 via wireless communication link L9, 

end-users of the status of monitored devices. Although this aspect of the invention is described in the 

FIGS.13A and Bare schematic diagrams illustrating the 15 of *» Internet ' {i "® be ^rstood by one of 

embodiment in which the Agent resides in the CPU. oidinary skill in the art that the application of this invention 

to any currently existing of future global network is con- 

DESCRIPTION OF THE PREFERRED templated herein. Further, although the Internet aspect of 

EMBODIMENTS this invention is described and illustrated with respect to 

client computer Al it should be understood that the Internet 

System Overview 20 appUcation u readily applicab i e to the other described 

Referring to FIG. 1, the preferred embodiment of the devices (including laptop computers, cablevision networks, 

electronic article surveillance system is comprised of three cellular telephones, personal digital assistants, and other 

main components: (1) client device A consisting of any one electronic devices). 

of the electronic devices shown which have been implanted Referring to FIG. 2, the host monitoring system C has two 
with the Agent; (2) A telecommunication link B such as a 25 monitoring subsystems: telephone monitoring subsystem 
switched communications system, the Internet, radio tower, 9jf . m6 Internet monitoring subsystem 9y. Telephone moni- 
satellite and cable networks; and (3) The host momtonng {q . subsystem 9x mon i tors information transmitted via 
system C which controls the communications between the telephone line 1 from client computer 10 which has an Agent 
client device A and the host monitoring system C installed thereon. Internet monitoring subsystem 9y moni- 
Referring to FIG. 1, the client device can be a cablevision tors information transmitted via the Internet 9j from client 
device A2, laptop computer A3, or other type of electronic computers 10 which have agents installed thereon, 
device A4 including a cellular telephone or personal digital ^ te i ep h 0 ne monitoring subsystem 9x is comprised of a 
assistant (PDA). However, for illustrative purposes, the voice board 2, host computer 3a, hard disk controller 4, hard 
client device consists of a client computer Al attached to disk 5> CRT 6> key b 0 ard 7, and printer 8. The host computer 
modem M. The host monitoring system C sends and receives 3fl is coup i ed to a suitable display device, such as CRT 6, 
data packets from the client computer Al over a suitable keyboard 7, and printer 8. The keyboard 7 permits the 
bi-directional transmission medium, such as a common oper ator to interact with the host monitoring system C. For 
telephone line LI. Telephone line LI couples the client example, the operator may use keyboard 7 to enter corn- 
computer Al to the host monitoring system C and the host ^ mands tQ print QU| a log me of me clients ^ have ca lled 
computer 3 through Public Switched Telephone Network Bl int0 me system . The host computer 3a illustratively takes the 
(telephone company). The host computer 3 notifies the form of an IBM personal computer. The source codes for the 
appropriate parties C3 (owner O, law enforcement agency, host moni t 0 ring system C, in Visual C++ by Microsoft, are 
or monitoring company) of the status of the client device A disclosed in copending application Ser. Nos. 08/826,098 and 
via suitable communication means such as electronic mail 0 8/558,432 and are incorporated herein by reference. 
Nl, fax N2, telephone N3 or pager N4. Host monitoring Te i e p hon e line 1 is connected to the host computer 3a by 
system C also identifies and can filter incoming calls CI, and a voic< f board 2 which fe adapted to receive and reC ognize 
provide processing, auditing and communication functions ^ {onQS of botfa caKer ID and diakd Qumbers 

C 2 - transmitted via the telephone line 1. Client computer 10 is 

In another embodiment of the invention cablevision 5Q connected to modem 9 via serial ports 96. Host computer 3fl 

device A2 is connected to cablevision network B2 via cable ^ connected to voice board 2 via data bus la. The modem 

L2. This cable L2 further connects cablevision network B2 9 ^ voice 5oard 2 are connected to telephone line 1 which 

to the host monitoring system C. ^ rou ted through Public Switched Telephone Network 

In another embodiment of the invention laptop computer (PSTN) 9c in accordance with a conventional telephone 

A3 is connected to radio tower B3 via radio frequency (RF) 55 system. Cbent computer 10 and modem 9 form a first 

transmissions L3. These RF transmissions are received by telecommunication station, while computer 3 and voice 

satellite dish S at the host monitoring system C. board 2 form a second, or remote telecommunications 

In another embodiment of the invention electronic device system. The host monitoring system C sends and receives 

A4 is connected to satellite B4 via microwave signal L4. data packets from client computer 10. 

Microwave signal L4 further connects satellite B4 to satel- 60 Ring signals are received on phone line 1 as an input to 

lite dish S at the host monitoring system C. voice board 2. In an illustrative embodiment of the 

In yet another embodiment of the invention client com- invention, voice board 2 may take the form of the DID/120, 

puter Al is connected to private network (such as a LAN) B7 DTI/211 and D/12X voice boards manufactured by Dialogic 

which is connected to a global network such as the Internet Corporation. The voice board 2 is operative to recognize the 

B5 via leased line L5. The connection between client 65 ring signal. Then it receives the caller ID and dialed numbers 

computer Al and private network B7 can be provided and converts them into corresponding digital signals. As 

through wireless connection L8. Leased lines L5 and L7 can, explained in greater detail below, in one embodiment of the 
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invention, the dialed numbers provide in encoded form the Internet 9/ to the Internet monitoring subsystem 9y. The 
unique serial number of the client computer. Host computer Agent can also concurrently report its identity and location 
3a decodes the encoded serial number for comparison to the telephone monitoring subsystem 9x through PSTN 9c 
against a list of reported lost and stolen computers stored in after specified periods have elapsed, and upon the occur- 
hard disk 5. 5 rence of certain predetermined conditions. This is further 

In an illustrative embodiment of the invention, the hard illustrated in FIGS. 3-1 and 3-2. 

disk controller 4 may comprise memory control boards Internet and DNS Queries 

manufactured by Seagate Tech under the designation Hard jjj e internet is a collection of networks linked together by 

Disk Controller. The hard disk controller 4 is particularly jp rou ters and high speed digital links. Computers which 

suitable to control the illustrative embodiment of the hard io nave access to one of these networks can run Internet 

disk memory 5 manufactured by Seagate Tech under their applications to send and retrieve digitally recorded files such 

designation ST-251. as audio and video files. Some of the popular Internet 

Similarly, the Internet monitoring subsystem 9y is com- applications are Netscape (used to surf the web), Eudora (for 

prised of a host computer 36, hard disk controller 9e } hard e-mail), Telnet (for logging on to another computer, ping 

disk 9f, CRT 9g, keyboard 9h, and printer 9i. The host 15 (Internet utility for checking the status of a particular 

computer 3b is coupled to a suitable display device such as machine). These Internet applications can be run simulta- 

CRT monitor 9g, keyboard 9h t or printer 91 neously. Thus, a computer can be running client programs 

Leased line 9k connects host computer 3b to the Internet such as Eudora and Netscape and at the same time be an FTP 

9j. Client computer 10 is connected to modem 9 via serial Server (File Transfer) for other clients that want to transfer 

port 9k Modem 9 and host computer 3b may be connected 20 files. The applications share the same communications links 

to the Internet 9j by an Internet provider 9o which uses a to the Internet and computer resources (cpu and memory), 

communication link such as Serial Line Interface Protocol Thus, multiple applications can simultaneously run without 

(SLIP), or Point to Point Protocol (PPP). Alternatively, or interfering with each other. There is, however, a resultant 

simultaneously, client computer 10 may be connected to the diminishing effect on performance. The Agent of the instant 

Internet 9j through private network (LAN) 9p having gate- 25 invention would have virtually no effect on the performance 

way to the Internet or the equivalent. In alternative of other applications since it transmits such a small data 

embodiment, client computer 10 may be linked to Internet packet. 

provider 9o and private network 9p via wireless links L9 and Each computer linked to the Internet has a unique Internet 

L8 respectively. For illustrative purposes, the communica- 3Q host name/IP address. Computer networks comprising one 

tion link is a SLIP fink. The Internet monitoring subsystem or more of these computers are also given names to form a 

9y sends and receives data packets from client computer 10 hierarchial naming structure. For instance, the web site for 

over the Internet 9j. IBM is "www.ibm.com." The prefix "www" is the name of 

Domain Name Service (DNS) queries from the Agent the computer (server) which is attached to the ibm.com 

which are transmitted through the Internet 9; are received as 35 network. Addresses could be coded using numbers, but this 

input to the host computer 3b. Host computer 3b extracts the would make administration of the Internet extremely diffi- 

host name firom the DNS query, and then extracts and cult. Instead, a method providing for the mapping of Internet 

decodes the Agent identification (serial number) from this host names to network addresses was implemented. This 

host name. Host Internet monitoring computer 3b uses the mapping system is the Domain Name System (DNS). It is a 

decoded Agent identification for comparison against a list of ^ distributed, hierarchical administrative system. At the top of 

reported lost and stolen computers stored in hard disk 9/ the hierarchy is the root domain containing the top level 

The Internet and DNS queries are discussed in more detail domains (com, edu, net, ca, us, etc.). At the bottom end is a 

below. domain name such as cs.berkeley.edu. which corresponds to 

According to one embodiment of the invention, the the computer science department of the University of Cali- 

unique identification associated with each electronic device 45 fornia at Berkeley. Each domain has more than one authori- 

can be an Electronic Serial Number (ESN). These ESN tative server which can map its Internet host name to its IP 

codes can comprise a string of alphanumeric characters (numerical) address. 

which can be encrypted and encoded. The ESN can be If a user wants to access the site at www.psmith.cs.ber- 

generated randomly by a central delegating body to assure keley.edu from the address pliving.absolute.com, the user 

that each electronic device has an ESN which is unique. The 50 would first input www.psmith.cs.berkeley.edu. into his web 

ESN can be permanently associated with an Agent security browser. The web browser would then send a DNS query to 

system to enable the unique identification of the electronic the absolute.com authoritative server to determine if the 

device in which the Agent is installed on. desired address had been recently resolved (DNS resolutions 

The Agent is a program such as a terminated stay resident are cached to enhance the performance of the DNS system), 

program, VxD (Virtual Device driver program), application 55 If the absolute.com DNS server cannot resolve this address, 

program (such as Windows service or Windows NT service), then the next DNS server up the chain is checked (the DNS 

or a file filter program. The Agent is installed on hardware, server at the "com" level). If that higher level server also 

software, or firmware. Some alternative methods of instal- cannot resolve the address, then the root server directs the 

lation are described in co-pending U.S. application Ser. No. process down the chain to the top level "edu" DNS server. 

08/558,432 which is hereby incorporated by reference. Once 6 o If the "edu" DNS server cannot resolve the address, then the 

the Agent is installed it will report its identity and its location DNS server at berkeley.edu is contacted. Ultimately, a DNS 

to the host after specified periods of time have elapsed, and server is found that can determine the appropriate IP address 

upon the occurrence of certain predetermined conditions. based on the Internet host name. The IP address is provided 

This is further illustrated in co-pending U.S. application Ser. to the web browser to enable communication with www.p- 

No. 08/558,432. , ~> - ^ smith.cs.berkeley.edu. 

Once the Agent is installed and running it will periodi- Once the desired IP address has been determined, packets 

cally (every four hours) report its identity and location on the of data can be sent across the Internet through IP routers. 
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These IP routers can read the numerical addresses and In such a scenario, the Agent would poll the communication 

determine where to send each packet. Each IP router has a ports (corresponding to the different communication 

unique IP address. Typically, several IP routers need to be mechanisms) to find free communication equipment. If the 

contacted to link a user with his desired Internet site. As Agent fails to find any free equipment, then the Agent will 

explained in more detail below, the traceroute routine pro- 5 abort its attempt to call the host and repeat the cycle 18 

videsahstingofalllProutei^usedtoenablecommunication one-eighteenth of a second. However if the Agen 

between a client and host. f free communication equipment, it will call the host 

21. Upon receiving a call from the client computer 10, the 

Functions of the Agent bQst examines me Agpai identity, which according to the 

The Agent may be implemented in the firmware or pre f err ed embodiment is the serial number of the client 

software of any electronic device, such as a computer. computer, and determines if a connection should be estab- 

Alternatively, the Agent may be implemented in any com- lished 22 . The host establishes a connection when the serial 

ponent of a computer, as with an electronic component such num ber of the computer contacting the host matches an 

as the DSP in a modem or the CPU in the computer. eQtry QQ a {is{ of reported lost or stolen computers. In an 

Furthermore, the functionality of the Agent may be imple- alternative embodiment, this call filtering feature is elimi- 

mented in the circuitry of any hardware device capable of Qated and ^ host system establishes a connection whenever 

establishing a communication fink through sending and/or mere ^ aQ mcommg ca ll. The list of reported lost or stolen 

receiving packets of data. computers is maintained within the host monitoring system 

One of the important functions of the Agent is to contact q jf me host does not accept the call then the Agent will not 

the host monitoring system C to report the identity, location, ^ C all back until the next appropriate time (after predetermined 

and other information relating to its associated client com- time period has elapsed) 18. If the host accepts the call, then 

puter 10. The Agent has to determine the appropriate time the Agent will send the host its encoded identity (such as its 

for it to call the host monitoring system C. The Agent can ESN), location (caller ID), any relevant serial numbers of 

contact the host monitoring system C through the PSTN 9c computer components, such as CPU, hard drive, BIOS and 

connecting to the telephone monitoring subsystem 9x, or ^ anv other desktop management interface (DMI) and any 

through the Internet 9j which connects the Internet moni- other pertinent information such as local date and time 23. 

toring subsystem 9y. Thus, the Agent can communicate with jh e Agent then checks if the host has any data or commands 

a host monitoring system C using either the Internet or the f or tne client 24. If the host has no data or commands to be 

PSTN techniques. Alternatively, the Agent may rely con- sent> then the Agent will terminate the call and repeat the 

currently on both techniques. 3Q cycle 18. Otherwise, the host will send the data or com- 

FIGS. 3-1 and 3-2 together are a flow chart of the process mands 25 before it terminates the call, and returns to 

in which the Agent is loaded when the client computer 10 is "active" mode 18. Additional details of this work cycle are 

initially turned on or reset, and the manner in which the found in the copending patent application Ser. Nos. 08/826, 

operating system and Agent run concurrently. In this illus- 098 and 08/558,432 which have been fully incorporated by 

trative embodiment, the Agent is embedded in software. 35 reference herein. 

Once the client computer 10 is powered on 11, it performs D . Internet 

a power on self-test (POST) 12. The POST tests the system j n tne internet application, which can run alone or con- 
hardware, initializes some of the devices for operation, and currently with the PSTN application, the Agent initiates a 
loads the master boot record (MBR) 13. Since the MBR was C all to the host at relatively short predetermined intervals, 
installed with an Agent subloader, the subloader is loaded ^ According to the preferred embodiment, in its "active" mode 
into memory 14 and executed. The subloader's first task is me Agent calls the host every four hours 18a. The Agent 
to load the Agent into memory 15 (which is discussed in uses tne current time and the unique Agent identification to 
detail below in reference to FIG. 5.) Then the subloader encode an Internet host name l&b. The Agent then forms a 
loads the operating system (OS) into memory 16 and returns rj^s request using the encoded Internet host name 18c. The 
control to the operating system. Now both the operating 45 Agent sends this DNS request to the host through the 
system 17 and the Agent 18 are running simultaneously. Internet lSd. If the agent's attempt to send the DNS request 
a. PSTN to the Internet times out ISh after a predetermined time 
In the PSTN application, once the Agent is running 18, it period has elapsed, the Agent will sleep for one minute and 
will determine the appropriate time to call the host 19. The then repeat the cycle from step 18k If the call fails due to 
time period in which the Agent is waiting for the appropriate 50 another error (such as the absence of winsock facilities 
time to call the host is the "active" period. The Agent will which enable communication with the Internet, and/or the 
only call the host when a pre-defined time period has failure of the computer to be configured for TCP/IP 
elapsed, or when a pre-determined event has occurred which communication) lSe then the Agent will repeat the cycle 
triggers the client to contact the host. Every one-eighteenth four hours later 18a. In this way, the Agent inherently checks 
of second the Agent compares the current date and time with 55 for the existence of an Internet connection, 
the date and time that the Agent is due to call the host. If the After sending its DNS request, the Agent waits for a 
Agent determines that it is time to call the host it will transfer response. Upon receiving a valid response from the host 18e, 
to "alert" mode. the IP address is extracted from the response and compared 
In alert mode the Agent will attempt to call the host against a reference IP address 18/ In this illustrative 
eighteen times per second until it is successful. Once in alert 60 embodiment of the invention the reference IP address is 
mode, the Agent does a thorough search within the computer "204.174.10.1". If the IP address equals "204.174.10.1" then 
to find free (not currently being used by any running the agent's mode is changed from "active" to "alert" on the 
application) communication equipment 20. In an illustrative Internet side 18g. The host will send this reference IP 
embodiment, the communication equipment comprises a address only when it has determined that the Agent identi- 
modem 9. It is contemplated herein that different commu- 65 fication matches one of the entries on a list of reported lost 
nication mechanisms (i.e., modem, satellite link, RF link, or stolen computers stored at the host. If the IP address 
etc.) can be provided at several of the communication ports. extracted from the host response does not equal 
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"204.174.10.1" then the Agent remains in active mode and system of the computer. It performs the power-on self-test 
does not call the host for another four hours. (POST) 702, in fact POST is carried out on every reset of the 

As will be explained in more detail below, when the Agent system, including the time when the power is first turned on. 
goes into "alert" mode in the Internet application, the Agent This test has two purposes: it performs a quick test 703 of 
initiates a traceroute routine which provides the host with 5 the basic elements of the system; and it initializes the major 
the Internet communication links that were used to connect hardware components for use. POST tests all of the ROMs 
the client computer to the host. These Internet communica- °n the system board by performing a checksum. This test 
tion links will assist the host system in tracking the client adds together all of the bytes in the ROM module. As is does 
computer. The IP address of the source of the DNS query is the addition, it discards any carry from the 8-bit result. If the 
sent to the host within the DNS query. However, if the 30 fi o aJ re sult is zero, the ROM passes the test. The initializa- 
source of the query is transmitted through a "proxy" server, tion is done immediately after POST, it checks for new 
then the IP address of the client computer (which may not be equipment and extensions to ROM 704. If it finds any 706, 
unique since it may not have been assigned by the InterNIC) it momentarily turns control over to the ROM extensions so 
will likely be insufficient to track the location of the client that they can initialize themselves. By design, the ROM 
computer. In such a scenario, it is necessary to determine the is Agent is a ROM extension, therefore its initialization routine 
addresses of other IP routers which were accessed to enable will receive control 707 from the computer during the 
communication between the client and the host. These machine's start-up ROM procedure, 
addresses and the times that they were accessed are com- Once activated the Agent takes control of the whole 
pared with internal logs of the proxy server which record its computer 708. If it determines that it should call the Host 
clients 1 Internet access history. In this way, the client can be 20 computer, it follows the processes described in reference to 
uniquely identified and located. Additionally, the transfer of FIGS. 4A-1, 4A-2, 4B, and 4C Basically, it finds a free 
the Internet application into "alert" mode is a condition communication port, establishes a communication link to 
which triggers the transfer of the PSTN application to "alert" the Host, sends its identity then relinquishes control back to 
mode - the machine's start-up ROM procedure. After POST ended 

The system remains transparent to an unauthorized user 25 713, the machine's start-up ROM procedure loads the oper- 
via implementation of well known deflection methods. atui 8 system from disk 714, and passes control to it 715. 
Attempts to read or write to the location where the Agent has Detailed Operation of Agent Work Cycle 

Referring to FIGS. 4A-1 and 4A-2, a flow chart is 
£L£S£ r CmptS ^ T ad u 10 Z 8 * 11 30 P rovid ^ which describes one embodiment of the Agent 

t *Z 1 H TT 8en wf me T 8leSS byteS ° f da i a t0 work in •ccoid.oce U* invention. The Aient 
^-Tn Tu P 1- madC t0 Iooks for communications ports to be used. TTiere are two 
SSlt *5 f 1S <t ' {h l Ch T C ° mP f 1 tv P es of communications ports: the old by popular commu- 
Sl e J ata and ^°Tt he US 7 th n ^ ha ! Dications P° rts are called COM; and the new PCMCIA ports 
thus me 35 PCMCIA. Since COM is the more popular 'than 

S£ tX 111 n ™ e *¥ n > 1D °, ' l ° remai ° ?CMClA > the A g ent firsl l00ks for COM communications 

i h T < my mnmng 322-338, if no COM communications ports are found 

applications unless designed to interfere. men it ^ look for pCMCIA ^ Jo ™ 

Referring to co-pending U.S. application Ser. No. 08/826, COM communications ports, the Agent checks all COM port 

098, the details describing the background process opera- addresses using COM port address table 333 to see if they 

lions relating to the Internet application are disclosed and are exist 335. The first one encountered will be dynamically 

incorporated herein by reference. hooked 336 into by swapping the appropriate interrupt 

ROM Agent handler and unmasking the appropriate interrupt request 

In accordance with another aspect of the present un e. If an error occurs, the next port will be checked 338,334 

invention, the Agent resides as firmware in ROM. As in the 45 uma eitner a v ^ COM port is found or the COM port 

embodiment in reference to FIGS. 3-1 and 3-2, the ROM address table has been exhausted 338. If the COM commu- 

Agent is installed during a typical boot up sequence to the nication port responds properly, then attempt to check if a 

operating system of a computer. It should be understood that modem is currently connected to this COM communications 

this invention is applicable to other types of computers and P° rt via issue of the Hayes compatible AT command 339. if 

electronic devices presently available or as marketed in the 50 ^ modem does not exist, then the next port will be checked 

future with suitable modifications. The aspect of the inven- 3 ^8. ^ the modem exists it will respond with an "OK" to the 

tion described below is the process of installing the security At command 341. 

software onto a client computer such as the computer If no COM ports are found or if no modems are connected 

workstation 10 or a portable computer without relying on the to COM communications ports and if BIOS supports PCM- 

operating system of the computer. The method of installation 55 CIA modem 340, the Agent attempts to locate PCMCIA 

is crucial because the software must remain undetectable communications ports 340-350. The Agent searches for 

once installed. Furthermore, the software should be as PCMCIA communications ports and PCMCIA modems in 

difficult as possible to erase. In summary, the invention steps 342-350 in a fashion similar to the way it searches for 

achieves these objects by installing the software in such a COM communications ports 322-338. If no PCMCIA sup- 

manner that it remains hidden to the operating system, such 60 port is enabled 340 or no PCMCIA ports are found the 

as MS-DOS. Agent will stop 358. 

Referring to FIG. 5, the Agent startup and loading After a functional communications port and a modem are 

sequence is described. The computer 10 is powered on and found regardless of their type the Agent will attempt to 

the loading sequence begins 700. As is well known in the art, initialize the modem by sending it modem initialization 

the machine's start-up ROM procedure 701 in the computer 65 strings 351-353 using strings from a table of initialization 

10 begins when the power is turned on. This process strings. If the modem does not respond with an "OK" 355, 

supervises the booting up and loading of the operating this indicates that the initialization attempt failed 356. If the 
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initialization attempt failed, then the next set of strings in the 
table will be tried 354, and so oo until a valid set of 
initialization strings is found, or the modem initialization 
string table is exhausted 356 at which point, the Agent will 
stop 358. 

During the system boot process, when the Agent stops at 
358, it relinquishes control back to the machine's start-up 
ROM procedure (see step 715 in FIG. 5). 

FIG. 4B describes in detail how the Agent detects whether 
PCMCIA support is enabled. It does this by checking to see 
if the computer is using a PCI BIOS 387, and the Cirrus 
PD6729 PCI Controller chip 389. If these features and chip 
set are detected, the Agent checks for port conflict 390 and 
wake up the Cirrus PCI Controller 391. The Agent makes an 
I365__IDENT call to PCMCIA Controller to identify the 
chip further 392. Such I365_IDENT call is also made to the 
PCMCIA Controller even if the PCI BIOS and Cirrus PCI 
Controller are not present. The PCMCIA Controller chip is 
then initialized 393, if the chip is initialized successfully 
then PCMCIA support is enabled 395, otherwise PCMCIA 
support is not enabled 388. Once a valid and available 
communications port has been found, and it has been 
verified that a functional modem is associated with that port, 
the system will attempt to dial out to the remote host 357 
(see also 370 in FIG. 4C). 

Referring to FIG. 4C, the Modem Call routine 370 is 
illustrated. A dial string table 372 is used 371 to attempt the 
call since a PBX or switchboard etc. may need to be exited 
via a dialing prefix. If successful 373-374, the CONNECT 
result code (numeric or letters) from the modem will be 
received by the client 374. The Agent also decrements the 
oflset in the dial string table so that the next time the 
machine is powered on or reset, the current dial string will 
be used. The host will send a signal ("Query") to the client 
requesting its serial number. If the client does not receive the 
"Query" signal 379 it will abort 384, reset the communica- 
tion port and modem 385, and repeat the cycle 334, 343. If 
the client receives the "Query" signal, then the serial number 
is sent 380. At this point, telecommunications have been 
established and the agent-host transaction begins. If the 
transaction succeeds, the resultant state will be "active", 
otherwise it will be "alert". If a "NO DIALTONE" or 
"BUSY" event occurs 375-376, the offset in the Dial String 
Table will be incremented 378 so that the next dial string 
will be attempted the next time the machine is powered on 
or reset. 

The Agent to remote host transaction involves the sending 
of the computer serial number 380 via the telephone com- 
pany or carrier service. The "Caller ID" is implicitly 
received by the remote host (typically during the initial 
telecommunications event "RING"). Upon the occurrence of 50 
the event "CONNECT', the host sends the client a vendor 
specified message called "QUERY" 379 which in effect tells 
the client to send its serial number 380. This involves the 
host acknowledging that it has received 381 and processed 
383 the serial number thereby validating it. The client will 55 
attempt this call a pre-defined number of times 382 before it 
gives up (disconnects, cleanups, unhooks port 384, resets 
communication port and modem 385, repeats the cycle 300). 
At this point, the modem disconnects 384, and any other 
cleanup necessary occurs (such as changing the date of the 
last call to the present). Finally, the resultant state will be 
reset to "active" and the Agent will remove all traces of it in 
memory to avoid being detected by unauthorized users. The 
Agent then stops 386. During system start-up, when the 
Agent stops, the machine's start-up ROM procedure con- 
tinues to scan for the next ROM extension (see step 712 in 
FIG. 5.) 



If the computer that called in was not reported stolen, no 
further action with regard to the computer system that called 
in will be taken. If, however, the serial number transmitted 
to the remote Host matches one of the serial numbers on a 
currently valid list of stolen computers, further processing 
will occur to facilitate the recovery of the missing equip- 
ment. Such processing includes, but is not limited to, placing 
either an automatic or manual call to the local authorities in 
the vicinity of the missing equipment or the owner of such 
equipment. 

Instead of making a modem call via the PSTN, the BIOS 
Agent may be configured to communicate with the host 
monitoring server via the internet in a similar fashion as 
explained in reference to FIGS. 3-1 and 3-2. 
Variations on Loading the BIOS Agent 
Four alternative ways of installing the Agent security 
system during the disk boot were disclosed in co-pending 
U.S. application Ser. No. 08/558,432 which is hereby incor- 
porated by reference. In one of the alternative methods of 
installation the Agent was disposed on the ROM BIOS using 
hook interrupts and saving and restoring CPU registers. That 
method required these brute force techniques to enable the 
Agent to be compatible with certain operating systems. 
Operating system independent Agents are further disclosed 
herein. 

Referring to FIG. 6 A, the Agent is implanted in the boot 
sector of the computer's hard-disk 721. The Agent is loaded 
into memory when the computer is turned on or reset 722. 
Once active, the Agent executes in memory 723 until the 
computer is powered down or reset. 

Referring to FIG. 6B, the Agent loading sequence is 
described 105-116 for loading the Agent via a ROM BIOS. 
This schematic illustrates an embodiment of this invention 
on firmware. The sequence is analogous to that disclosed in 
the parent applications for the embodiment in which the 
Agent is embedded in the operating boot sector embodi- 
ment. However, the Agent is loaded from the ROM after the 
CPU registers are saved 107. At that time the ROM can take 
control of the system and load the Agent. Once the CPU 
40 registers are restored 113, the ROM can no longer load the 
Agent. More particularly, after the computer 10 is powered 
on or reset, the loading sequence begins 64. As is well 
known in the art, the computer 10 is performs an initial 
testing routine to assure that all components are working 
properly 65. Illustratively, the program incorporated is the 
IBM-PC compatible Power-On Self Test ("POST") routine. 
Next, in an effort to maintain the transparency of the Agent, 
the CPU registers (corresponding to the current state of the 
computer) are saved 107. Before the Agent is installed there 
is a check for a Remote Procedure Load ("RPL") signature 
108. If the signature is present, this indicates that the Agent 
is already in memory and will not be loaded again. However, 
if there is no RPL signature, then preparation is made to load 
the Agent. First, space is reserved for the Agent at the ceiling 
of conventional memory 109. Next, Interprocess Commu- 
nication Interrupt (2Fh) is hooked 110 which enables com- 
munication with other programs. Interrupt 13h, which is the 
disc input/output handler, is hooked 111. The old timer 
interrupt is saved, and new hook timer interrupt is put into 
place 112. Now the CPU registers are restored 113 in order 
to maintain the transparency of the system. The original 
operating system boot sector is loaded 114. The original 
operating system had been moved to accommodate the agent 
installation. Finally, the operating system is loaded 115 and 
running again 116. 

Another configuration the BIOS Agent is shown in FIG. 
6C. the Agent is implanted into the computer's BIOS 731 



10 



15 



20 



25 



30 



35 



45 



60 



US 6,269392 Bl 
15 16 

and/or bootstrap BIOS. When the computer is turned on or whatever means are available through the particular corn- 
reset, the Agent loads itself into memory and checks for an munication service being utilized. For instance, if a link 
image of itself on the computer's hard-disk 732. If an image were established over standard phone lines, Caller ID/ANI 
of the Agent is found, that image is refreshed 733 and run could be used to fix the location, or if a link were establish 
from the disk 734. If an image is not found, one is created 5 over Internet, the ID address can be used to fix the location, 
on the disk 735. The newly created image is then loaded into The capabilities of the software installed on the hard disk 
memory and run from the disk 734. would be based upon the needs of the customer and might 
Turning to the operating system independent methods, include advanced asset, management or system administra- 
referring to FIG. 6E, the Agent is implanted into the com- tion functions. The hard disk-based components of the Agent 
puter's BIOS 741 and runs directly from the BIOS 742. As 10 would perform in a method similar to that of the SPC, 
more fully discussed below, variations of the BIOS Agent contacting the Server at specified intervals and transmitting 
may include implanting the Agent in a DSP of a modem, a data back and forth as necessary to complete its scheduled 
CPU of the electronic device, a hard wired circuitry or an tasks 769. 

integrated circuit in the electronic device. Alternatively, the SPC may be implemented in the CPU of 

All of the above BIOS Agents may be configured to 15 the computer 10, the DSP of the modem, or in the form 

communicate with the host monitoring server via modem integrated circuits or hard wired circuits, as more fully 

call and/or internet. addressed below. 

Segmented Agent The segmented Agent may be configured to communicate 

Referring to FIG. 7A, an alternate embodiment of the 20 with the host monitoring server via modem call and/or 

operating system independent BIOS Agent is described in internet. 

which the Agent 751 is segmented into two components. The Modem Agent 

Secure Protocol Component (SPC) is implanted into the Referring to FIG. 8A, according to another embodiment 

computer's BIOS 752. The SPC handles device tracking of the invention, instead of installing the ROM BIOS of the 

function only 753. Additional functions, such as asset and 25 computer, the Agent is installed into the Flash ROM (or 

configuration management, are handled by a High Level EPROM) 811 or DSP 812 of the computer modem, either on 

Component (HLC) that resides on the computer's hard-disk a plug-in card or built-in on the motherboard (810) of the 

754 and run from the disk 755. computer. The Agent can be imbedded into the modem Flash 

Referring to FIG. 7B, the embodiment of FIG. 7B is ROM (or EPROM 811) or DSP 812 by an installation utility 
described m greater detail. The SPC 757, upon recognizing 3 o that runs on the computer^ or it can be embedded into the 
machine events and at specified intervals, checks to see modem Flash ROM or DSP by the ^ manufac^er The 
whether the Operating System is installed and active on the Modem Agent can communicate with the Host Monitoring 
hard^iisk 758 Events that can be recognized include Power System through the PSTN 813 at scheduled times without 
Management events and Plug-and-Play queries such as the the involvement of the PC processor. ITius, the Modem 
ACPI (Advanced Configuration & Power Interface) adopted 3 5 15 impendent of the software running on the corn- 
by Microsoft and other developers or SMI (System Man- P^r including the operating system, 
agement Interface) adopted by Intel and others. Power The Modem Agent enables a monitored computer to 
Management events are generated from the hard-disk pow- communicate to the monitoring server even if a new disk 
ering down, the CPU switching speeds, or the display drive is installed. This provides a much more secure method 
switching on or off. Plug-and-Play queries are received from 40 of the locatlOD of stolen computers where modifica- 
the Operating System when it is identifying devices installed tions are made to the computers before they are used. In the 
in the machine and loading drivers to control those devices. case where computers are stripped for parts, the Modem 
If the SPC is able to communicate with the Operating Agent will still be able to be located. Integration of the 
System, it determines if it is time to contact the Server 760. Modem Agent onto the motherboard of the computer will 
It does this by checking a "counter" which is reset to a 45 not aUow lhe Modem Agent t0 become separated from the 
certain value during bootup and then decremented with each motherboard, protecting the most important component of 
check that is performed. Any time the counter reaches 0 the computer, 
(zero), the SPC contacts the Server 761. If the SPC is unable A. Modem Hardware Architecture 
to establish a communication link with the Operating The hardware architecture consists of a programmable 
System, it assumes that a problem exists with the system and 50 modem either in a plug-in card 820 or a module 830 
forces the counter to 0 (zero) 759. The SPC then immedi- integrated onto the motherboard 831 of the monitored com- 
ately establishes a link to the Server 761 by any of the means puter as shown in FIG. 8B and FIG. 8C respectively. Plug-in 
discussed before regardless of the amount of time that has card based modems 820 are usually programmable but can 
elapsed since the last connection. be removed from the monitored computer. This prevents the 

Once a communication link has been established between 55 modems from tracking the main portion of the computer, 
the SPC and the Server 762, the Server asks the SPC to Modem modules 830 integrated directly onto the mother- 
identify itself 763. The SPC responds with the ID of the board can not be removed from the main portion of the 
device that is being tracked 764. The Server then sends a computer. The modem module 830 is coupled to the CPU 
request to the SPC 765 asking that it perform one or more 832 and RAM 833. 

tasks at a specified future time (such as contacting the Server 60 The modem module 830 or plug-in card 820 will contain 
again). At the appropriate time, the SPC responds to any a modem chip set 824, 834 that provides the modem 
such request 766. All communications between the Agent communication (encoding and modulation) and modem con- 
and the Server will incorporate data encryption 767 to troller functions. Depending on the manufacture the chip set, 
provide an additional layer of security and prevent the it may contain a single or multiple DSPs and possibly a 
sophisticated and user from intercepting or transmitting 65 microcontroller. The DSP will usually provide the commu- 
messages in an attempt to interfere with device tracking. The nication software for encoding and modulation. The micro- 
Server will determine the location of the tracked device with controller will usually provide the modem controller soft- 
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ware but some chips set provide two DSPs for both 
functions. Along with the chip set the modem will contain. 
RAM 825, 835, a flash programmable EPROM 826, 836, 
A/D and D/A converters 827, 837 as well as a POTS 
interface 828, 838. 

The RAM is used by the modem chip set as its main 
memory. The flash programmable EPROM is used to store 
the modem software. A/D and D/A converters with the 
POTS interface allow the chip set to seed/receive signals 
over the analog PSTN phone lines. 

While the Modem Agent is described below in connection 
with communications with the host monitoring server via 
modem call, the Modem Agent may be configured with the 
additional and/or alternate function of communicating with 
the host monitoring server via internet. 
B. Modem Agent Software Architecture 
The Modem Agent resides on either a software upgrad- 
able ISA of PCI modem card or a memory mapped/ISA 
mapped modem module integrated on the mother board. 
These modems usually consist of two software entities, the 
controller software 841 and the communications software 
842 as shown in FIG. 8D. The controller software 841 
contains the software that controls the interface between the 
PC 845 and the communications software 842 as well as the 
POTS interface 844. It allows application software to com- 
municate with and control the actions and parameters of the 
communication software 842. 

The communication software 842 contains the modem 
communication functionality that provides the encoding and 
modulation schemes employed during communications. The 
communication software usually runs on a DSP while the 
controller software usually runs on a separate microcontrol- 
ler. However, some modems use a single processor to 
provide both functions. The communications software is 
usually not modifiable and is proprietary to the manufacture 
of the modem chip set. 

A third software entity, the Modem Agent 843, must be 
added to the modem software. The Modem Agent will reside 
on the processor that contains the Modem controller or the 
Flash EPROM or ROM. The Modem Agent will receive 
extended AT commands from the Agent Configuration Util- 
ity 846. These extended AT commands will be proprietary to 
the host monitoring service and will each require a pass- 
word. The Modem Agent will also be able to communicate 
with the host monitoring server directly. This capability will 
be provided by the call management function within the 
Modem Agent. (See FIG. 8E and discussions below.) 

The Modem Agent 843 will run in parallel to the modem 
controller 841 such that no modifications to the manufac- 
turer's software in the modem controller will be required. 
The modem controller will respond to the extended AT 
commands with "ERROR". However, the Modem Agent 
will qualify the error response with an extension response to 
indicate that the command was recognized and executed 55 
correctly if the syntax of the command and the password are 
correct. This will allow the standard modem controller code 
to function as is and still allow the Modem Agent to respond 
to commands. 

Referring to FIG. 8E, the Modem Agent 843 consists of 60 
three main program components: the command interface 
module 801, the command function module 802, and the call 
management function module 803. The command interface 
module 801 will handle all communications with the PC 
interface, in parallel with the modem controller. This will 
allow the command module to communicate with PC appli- 
cations. Its functions will include receiving/transmitting of 
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controller characters from/to the PC as well as AT command 
identification. The command interface module 801 supports 
extended AT modem commands that enable control and 
configuration of the Modem Agent. The extended AT 
modem commands include but are not limited to: set ESN, 
set dial strings, enable monitoring, disable monitoring, 
report status, initiate monitoring call, and set local time. All 
of the extended commands are password protected to pre- 
vent unauthorized access and detection of the Modem 
Agent. 

The commands function module 802 implements the 
functionality of the extended AT commands as well as 
functions required to communicate to the monitoring server. 
This could include call initialization, call scheduling, ESN 
identification, status monitoring, mode management, etc. 

The call management function module 803 will provide 
the interface to the monitoring server. It will allow the 
command module to communicate with the monitoring 
server. Its functions will include receiving/transmitting of 
data from/to the monitoring server and controlling the 
modem communication interface. The call management 
function module 803 contains the Secure Protocol Compo- 
nent (SPC) of the Segment Agent as described before. 
C. Modem Agent Functions 

The Modem Agent provides two sets of functions. Firstly, 
to communicate with the PC's CPU, a set of extended AT 
commands are required. Secondly, to communicate with the 
host monitoring server, a set of functions are required. 
1. Extended AT Commands 

The Modem Agent supports extended AT commands to: 

a. set ESN 

This command allows a configuration application to 
modify the ESN number that the Modem Agent uses 
when connecting to the host monitoring server. This 
command is used to configure new Modem Agents as 
well as change the ESN when a new number has been 
assigned to it. 

b. set dial strings 

This command allows a configuration application to 
modify the number dialed when contacting the host 
monitoring server. This command is used to configure 
new Modem Agents with the correct dial-up phone 
number for the host monitoring server as well as 
modify it if a change is required. 

c. enable monitoring 

This command allows a configuration application to 
enable the monitoring service of the Modem Agent. 
This command is used to re-enable monitoring if the 
service has previously been disabled. 

d. disable monitoring 

This command allows a configuration application to dis- 
able the monitoring service of the Modem Agent. This 
command is used when the owner of the monitored PC 
wishes to terminate the electronic device trace service. 
The command will turn off the Modem Agent functions 
and AT commands with the exception of the enable 
monitoring command. 

e. report status 

This command allows a configuration application to 
report the status of the Modem Agent. 

f. force contact with Monitoring Server 
This command allows an application to force the Modem 

Agent to contact the host monitoring server. This 
command can be used, for example, to test the Modem 
Agent configuration. 
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g. set local time CPU Agent , . . . 

j „ « . ,. .. ,„ „, The Agent may be implemented in a CPU using an 

Ita command allows a oonflguraUon apphoauon to M ^ * ^ ^ micr0pr0CCSSOI5 which 

the current tune on the Modem Agent. lbs a to aUow 8 • *J ^ ^ microcode fe the 

the Modem Agent to synchronize scheduled calhng , ayer of ^ cpu which Uanslates ail externa i 

times to local time. macrocode algorithm stored in volatile or non-volatile 

h. set Alert Mode interval memory into a microprocessor's internal execution codes. 
This command allows the interval of the alert mode (as Referring to FIG. 13A. the A microcode patch 90 is format- 
described before) to be set. ted and encrypted according to each specific chip manufac- 

All commands are password protected. The Modem 10 turer's specifications. It is uploaded from the BIOS 91 to a 

Aeent is shipped with a default configuration. The password microcode patch area 93 and/or microcode storage 94 in the 

accompanying each command will be calculated from the CPU 92, after reset, during the POST initialization of the 

argnmentof the command. This will make the AT commands computer. The microcode patch 90 can unptement aU the 

more difficult to defeat and will not allow the application functions of the conventional algorithmic Agent ^Referring 

■ *u *u ha a a_, tn u 0 ™™ ™,t r^f 15 also to FIG. 13B, the Agent may take a similar form as the 

communicating with the Modem Agent to become out of ■ £ of Segmented Agent described 

sync with its password. The calling application must take JJ» ■ ^ spc fa ^ patch commu . 

care to not send AT commands while the modem is being ^ ^ modem 95 ^^^y of lhe norma i 

used by another application. code stfeam ^ of the operat j ng syst em or application 

2. Modem to Server Functions 2Q 96) via the j fc mii and decoder 97 of me CPU 92 . 

For the Modem Agent to communicate with the host * £ B les of microprocessors which allows for microcode 

monitoring server, a set of functions are required to: patching are the Pentium Pro and Pentium II processors 

a. contact and communicate with monitoring server developed by Intel Corporation. Of course it is also possible 

When monitoring is enabled, the Modem Agent calls the to implement the Agent in microcode or in logic circuitry 

host monitoring server's phone. The Modem Agent 25 inside the CPU during the manufacturing process in addition 

sends its ESN to the host monitoring server. The host to the patching facility or exclusive of the patching facility 

monitoring server tells the Modem Agent when to call 0 f the CPU. 

again. The Modem Agent calls back at the scheduled The CPU Agent may be configured to communicate with 

time. A state diagram of the contact and communication the host monitoring server via modem call and/or internet, 

mechanism is shown in FIG. 8F. 30 Hardware Agent 

b schedule communications with monitoring server The Agent may be implemented in hard wired circuitry or 

HieModemAgentisnotabletoschedulecontacttimeson a single integrated circuit using 

its own bemuse it does not have access to a real-time takes an engineer's logic specification and ranslates into the 

clock. However, the Modem Agent is capable of mea- data which is used Uo program, build, or design .^ha dware 

suring the passage of time. Thus, there is a need to * device or circuit. The hardware device or circuit would then 

mitiaL the' current date and time in the Modem Agent execute according to the engineer's logic ^™ «d 

upon power-u P of the modem. This function can be perform the functions of the Agent by estabhshmg a com 

provid'ed by the HLC in a segmented Agent configu- rnumcat 10 ns link and sending and receivmg dat .packets in 

ration described before, for example. If the modem order to establish both the ^f^^ a £^* c r 

Agent does not receive from the HLC the current date <o e ectromc device within which the hardware device or 

and time within a predetermined interval after power- circuit ^ included, thereby simulating the algorithmic func- 

up, then the Modem Agent will enter alert mode and tion of the Agent 

inUiate contact with thThost monitoring Server. When Host IdenUficaUon and Filtering System 

the Modem Agent contacts the host monitoring server, The Host IdentificaUon and Filtering System .Tories 

it will verify to time last set by the Agent Configura- « and filters out unwanted calls from agents FIG. 9 is a flow 

" i Jt T t diagram of the host identification and filtering program 

lion Utility. executed by host computer 3. Once the security program is 

c. prevent modem contention executed 26, the voice board waits 27 for the ring signal on 
The Modem Agent does not interfere with the use of the ^ telephone fine 1. When a ring signal is detected 28, the 

modem by PC applications. Before calling the host 5Q yoice board 2 acknowledges the incoming call by sending a 

monitoring server, the Modem Agent ensures that the signa j t0 ^ e telephone company 9B via telephone line 1 

modem is not currently in use. If a PC application starts requesting that the caller ID and the dialed numbers be sent 

to use the modem, as indicated by the receipt of AT tQ it ^ vo ^ ce b oard men wa i ls until these numbers are 

commands by the modem, then the Modem Agent received 29, 30. 

immediately drops any active call and immediately 55 0nce the calier rj) an d the dialed numbers have been 

relinquishes control of the modem to the PC. received, they are saved to the hard disk 31, 32. The security 

d. active alert mode program then compares the dialed numbers 33, which pro- 
The Modem Agent will enter alert mode when it has not vide an encoded version of the serial number of the client 

received communications with the Agent Configuration computer 10 (coding scheme explained in detail below), 

Utility of configuration application within X minutes. 60 against a list of serial numbers stored on the hard disk 4. If 

The Modem Agent will then immediately attempt to no match is found, the program lets the phone ring until the 

contact the monitoring server and will continue to client computer 10 hangs up the telephone line 34. In the 

contact it every Y minutes until communications from preferred embodiment, the client computer is programmed 

the Agent Configuration Utility are received (set abso- to hang up after 30 seconds of unanswered ringing, 

lute time AT command). This mode is to prevent 65 However, if a match is found, the security program routes 

thieves from removing the hard disk or reformatting the the call to an appropriate receiving line connected to a 

hard disk to defeat the Agent tracing service. modem 35, which answers the call. In an alternative 
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embodiment, the host 3 answer all calls and the serial Referring to FIG. 11B, the host processing, auditing and 

number of the client computer 10 is provided in a separate communication subsystem for the Internet application 

, , „ f .u.j^MmmmiMiii receives and transmits information to and from clients over 

• ^iM^^^d^fS^^A 5 SS» with thf Internet application. After the host com- 

ZSSJSa ZtS£*Z ATSSSJl in Puter is powered on 3g . TCP/IP 

dialed phone numbers 172. The first 3fc Next, the DNS request "J^"**™^ 
eight dialed digitk after the first "1" are meaningless. The 10 client computer idenUficaUon 36* A ^ 15 jiade to 
ninth dialed dteit "N" 175, indicates which digit position determme whether the computer has been stolen 3fe This is 
within the serial number that the tenth dialed number accomplished by comparing the identification number of the 
corresponds to. The tenth dialed digit "D" provides the Nth client computer with a list of reported lost or stolen corn- 
digit of the serial number. The host computer 3 receives the puters which is stored by the host computer. If it has been 
six complete dialed phone numbers 172 and decodes them 15 stolen a suitable message 36/ is returned to the client 
173 by looking at only the ninth and tenth dialed digits. The computer 10. In the preferred embodiment, the message is 
client computer serial number 174 is thus reproduced. provided by setting the IP address of the next transmission 

For example, in the sequence "800-996-5511", the only t0 the client computer to "204.174.10.1" 36/. If the client 

relevant digits are the "11" portion. The first "1" indicates computer is not stolen, an alternate message is returned 36g. 

that the digit immediate to its right (1) is the first digit in the In tne preferred embodiment this is achieved by setting the 

serial number. Similarly, in the sequence "800-996-5526", 20 Ip address t0 "207.174.10.16" 36g. The host uses either of 

the "2" indicates that the number immediate to its right (6) mese tWQ ip adc j resses t0 f or m a response to the DNS query 

is the second number in the serial number: The client received from the client computer 36/z. The host then sends 

computer, in total, dials six numbers 172 in order to convey {]& Qse t0 me dieat computer 36/. The host also records 

its six-digit serial number to the host me transaction on the hard disk. The host then prepares to 

In order to accommodate this method of serial number . • 

coding the host monitoring system needs to ^nbe to 25 — in whfch ito- 

sixty different phone numbers. All sixty numbers should jf , . „. t . vir 1ir c u~ wc t h^ 

have the same first eight digits, and only vary from one tification is encoded is illustrated. FIG. 11C shows the 

anothe? with respect to the iL 'two digits" TTie ninth digit various components o a host name which »«d to form a 

need only vary from "1" through "6" corresponding to the DNS request. The host name according to one embodiment 

six digits within a serial code. However, the last digit must 30 of the invention, is a string of characters including the date 

vary from "0" to "9". and time 37, encoded client identification 38, and domain 

Referring to FIG. 10B, the encoding methodology can name 39. The encoded client identification 38 is extracted 
alternatively be modified such that the client computer need from the host name for decoding at the host Internet sub- 
only call the host three times to convey its serial number system 9y. 
180 According to this coding method, two digits of the 35 Host Notification Subsystem 

serial number 186 would be transmitted in each call. Thus, The host notification subsystem notifies the end-users 

the eighth dialed digit 185 would vary from "1" to "3", regarding the status of their electronic devices. In FIG. 1, 

corresponding to the three packets of two digits 186 that various methods of notification such as; electronic mail Nl, 

make up the serial number 180. The ninth and tenth dialed fax N2, paging N4, and telephone call N3, are depicted. FIG. 

digits 186 would vary from "0" through "9". However, this 12 is a flow diagram of the host notification program 

would require the operator of the monitoring system to 40 executed by host computer 3. The host notification program 

subscribe to three hundred different phone numbers. determines whether there are any pending notification 

Host Processing, Auditing and Communication Sub- instructions or commands 48. If there are pending 

system ' notifications, the information is retrieved 49. The program 

The host processing, auditing and communication sub- then determines the preferred preselected notification 

system receives and transmits information to and from <*5 method 50, and formulates the message to be dispatched 51 

clients FIG 11A is a flow diagram of the host communi- according to the preselected notification method. This mes- 

cation program executed by host computer 3. After the host sage is dispatched to the end-user 52. After dispatching the 

computer 3 is powered on 36, communication equipment is message, the program repeats the entire cycle 47. Host-side 

instructed to wait 37 for the telecommunication begin signal source codes are disclosed in the copending patent applica- 

from the client computer 10. The telecommunication equip- so lion Ser. Nos. 08/826,098 and 08/558,432 which had been 

ment acknowledges the begin signal by initiating a session incorporated by reference herein, 

to communicate with the client computer 38 and preparing Variations and Alternatives 

the host to receive data packets from the client 39. The The above description relates to the Agent security system 

program first establishes that the client computer is sending installed and operating in a conventional PC with an Intel 

data packets and that it has received all of the packets 40, 41. « 80X86 microprocessor or equivalent and with a conyen- 

Next the program determines if the client has any data or tional MS-DOS or PC-DOS operating system. It will be 

commands to be sent to the host 42. If not, the session is recognized that the system can be modified to fit other types 

terminated 43, and the cycle is repeated 37. When all data of computers including, for example, those sold under the 

packets have been received, the program permits the host to trademark Macintosh. The system can easily be modified to 

send data packets to the client computer. The program suit other types of operating systems or computers as they 

prepares to send data packets 44, and then establishes that 60 develop. 

there are more data packets to be sent 45 before sending each The above system is also intended to be added to existing 

packet 46. Once all data packets have been sent, the program computers without physical alteration. Another approach is 

terminates the session 43, hangs up the phone, and prepares to modify the ROM of such computers to contain the Agent 

to repeat the entire cycle 37. Host-side source codes are security system. The Agent security system also may be 

disclosed in the copending patent application Ser. Nos. 65 incorporated into the ROM of portable computers, cellular 

08/826,098 and 08/558,432 which had been incorporated by telephones or other electronic devices when they are manu- 

reference here. factured. 



